FCDO Services

Microsoft Office 365

FCO Services' managed Microsoft Office 365 is specifically for government departments working at the OFFICIAL classification requiring a collaboration solution.
As a UK government department and Tier 1 Microsoft Cloud Solution Provider, FCO Services is uniquely positioned to support UK government departments in their cloud adoption and drive to cloud.


  • UK government OFFICIAL configuration tailored to UK government needs
  • Flexible deployment scenarios including cloud, hybrid authentication and on premise
  • Integration options such as Identity and Single Sign-On (SSO)
  • Migration, platform administration and 1st/2nd/3rd line support options
  • Advanced Email Antivirus and malware protection with 1GB mailbox storage
  • Extensive Licensing plans as as Microsoft CSP
  • IT Operations Management and Support up to 24x7x365


  • In government partner
  • 100% UK Security cleared staff
  • Complies with National Cyber Security Centre guidance e.g. DMARC
  • Microsoft Cloud Solution Provider; enabling access to competitive licensing costs
  • Can advise on ideal licensing options based on security requirements
  • Experienced at deploying and supporting Office 365 for central government


£5.68 a user a month

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at FCOServices-SPGTenders@fco.gov.uk. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

3 9 1 1 1 9 8 1 2 5 9 4 0 1 2


FCDO Services Elizabeth Arneill
Telephone: 01908 515789
Email: FCOServices-SPGTenders@fco.gov.uk

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Windows 10
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints
Customers store and process UK OFFICIAL government data Agreement to FCO Services standard ‘secure’ configuration in line with UK government recommended guidelines
Agreement to FCO Services standard service policies related to restrictions on connectivity and web browsing
As a Software-As-A-Service Solutions Microsoft 365) has it's own specified availability targets as part of its service offering which consumers of the service accept.
System requirements
  • Computer and processor Windows: 1.6 GHz or faster, 2-core.
  • 2.0 GHz or greater recommended for Skype for Business
  • MacOS: Intel processor
  • Memory Windows: 4GB RAM; 2 GB RAM (32-bit)
  • MacOS: 4 GB RAM
  • Hard disk Windows: 4.0 GB of available disk space
  • MacOS: 10 GB of available disk space.
  • Display Windows: 1280 x 768 screen resolution
  • MacOS: 1280 x 800 screen resolution

User support

Email or online ticketing support
Email or online ticketing
Support response times
Based on the priority of the ticket, FCO Services can respond within 30 minutes on a 24x7x365 basis.
User can manage status and priority of support tickets
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
FCO Services operational support capability is supported by its use of a recognised, industry leading, ITSM platform and is aligned to industry recognised frameworks and standards that include ITIL, ISO 9001, ISO 20000, ISO 27001 and ISO 22301. Core operational support practices include Incident, Request,
Configuration, Change, & Service Performance Management which can be delivered on a 24x7x365 basis with the single point of contact for customers being the FCO Service Global Support Centre (GSC).
Support available to third parties

Onboarding and offboarding

Getting started
FFCO services carries out a standard set of activities to on-board customers as part of its Transition-Into-Service. In order to facilitate this the following information is required from the customer - identified through initial engagement. User details (Minimum information required is First Name, Surname, Telephone, Email Address, Organisation/Company) Agreement
on any accepted variances to standard service offerings and configuration settings Customer confirmation of Greenfield/Migration implementation/Transition to FCO Services Microsoft relationship management details External domains used and technical points of contact Clients & Web browsers used to connect to Microsoft applications Microsoft Exchange - Version of Exchange (On Premise), Exchange prerequisites, Client(s) used to connect to exchange Microsoft Dynamics - Version of Dynamics (On Premises), Environments to be managed and supported (e.g. Test/Dev, Pre-Production, Production), Microsoft Dynamics pre-requisites As part of On-Boarding, and full acceptance-intoservice, FCO Services will allocate a Service Delivery Manager (SDM) to the customer who will act as the operational point of contact for the duration of service provision.
Service documentation
Documentation formats
End-of-contract data extraction
In the event of customer confirmation for off-boarding the SDM will liaise with the customer to understand the customer needs and initiate service decommissioning steps that would include, but not limited to:-

• Timescales
• Device decommissioning procedures
• Data backup/transfer
End-of-contract process
The service is designed so that customers have the ability to extract their data from the service at any time. Upon termination or expiration of the customer’s subscription, the customer may contact FCO Services and request that:
a) Their accounts be disabled and all data deleted (in accordance with assured processes); or
b) The customer data is retained in a limited function for a maximum of 28 days after expiration or termination of the service so that further data may be extracted.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Compatible operating systems
  • Android
  • IOS
  • Windows
  • Windows Phone
Designed for use on mobile devices
Differences between the mobile and desktop service
Mobile optimised.
Service interface
Description of service interface
Office 365 provides web interfaces for all Office 365 SaaS applications including but not limited to: • Outlook, OneNote, OneDrive, Excel, Word, PowerPoint, SharePoint, Teams, Yammer, Calendar, Flow that can be used
separately or in conjunction with desktop software. Also provided are web interfaces for Office 365 tenant management that administrators can use to manage every aspect of Office 365 these web interfaces can be tailored by FCO Services to suit individual needs including role based access models dependent on customer requirements. All configuration is undertaken through the management consoles using a combination of GUI, PowerShell and Azure runbook scripting.
Accessibility standards
WCAG 2.1 A
Accessibility testing
Because Microsoft is a major software and cloud-services provider to states and governments around the world, it is committed to complying with all relevant international standards and compliance controls. By adhering to these wide ranging accessibility standards, Microsoft ensures that all customers - both inside and outside of government can use Microsoft services and products.
Customisation available
Description of customisation
FCO Services secure configuration of the Microsoft Office 365 has been configured to reflect best practice guidelines as defined by the NCSC.
During initial engagement any customer requirements where configuration changes are identified will require discussion and agreement.


Independence of resources
FCO Services can provide the expertise required to ensure your Office 365 solution can scale quickly and react to additional workloads meaning that when your current resources are at full capacity, additional resources can be added dynamically.

This can be achieved by capacity analysis providing you with threshold limits, current and future utilisation to ensure an elastic cloud solution service.

For cloud and hybrid deployment models each customer is
provisioned with its own environment isolated from other
customers with its own resources and capacity.


Service usage metrics
Metrics types
Standard Microsoft Office 365 Reporting Dashboard
Office activation's
User Activity - Email, Teams, Skype
for Business
Files - SharePoint, OneDrive
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Reseller providing extra support
Organisation whose services are being resold

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Small exports (up to 4GB) can be through approved encrypted USB sticks and large volumes (4GB and above) via encrypted approved USB hard drive via request.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Availability management for the MSO365 environments is determined by Microsoft availability targets for the service offering procured by FCO from Microsoft – this is 99.9% for MS Office 365 Cloud services.
Note: Worldwide uptimes are published by MS on https://products.office.com/en-us/business/office-365-trust-center-operations with FCO Services able to provide reports on the FCO MS service offering through the standard MSO365 dashboard reporting.
Approach to resilience
Resiliency is the ability of a cloud-based service to withstand certain types of failures whilst remaining fully-functional from the customers' perspective. Data resiliency means that no matter what failures occur within Office 365, critical customer data remains unaffected. Office 365 services have been designed around five specific resiliency principles:
1. Non-critical data (e.g., whether or not a message was read) can be dropped in rare failure scenarios. Critical data (e.g., customer data such as email messages) should be protected at extreme cost. As a design goal, delivered mail messages are always critical, and things like whether or not a message has been read is noncritical.
2. Copies of customer data must be separated into different fault zones to provide failure isolation.
3. Critical customer data must be monitored for failing any part of Atomicity, Consistency, Isolation, Durability.
4. Customer data must be protected from corruption.
5. Most data loss results from customer actions, so allow customers to recover on their own using a GUI that enables them to restore accidentally deleted items.
Building to these principles, coupled with robust testing, Office 365 is able to exceed the requirements of customers while ensuring a platform for continuous innovation and improvement.
Outage reporting
All MS O365 outages are reported here: https://status.office365.com/

FCO Services have also integrated our onpremise SCOM (System Center Operations Manager) system to monitor alerts directly to our tenants via the Service Health admin portal.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Management interfaces are restricted to key support personnel, audited and monitored, accessed through dedicated hardware device and dedicated Bastion infrastructure.
Secure devices follow National Cyber Security Centre (NCSC) guidance; Bastion infrastructure requires 2 factor authentication to access management interfaces.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Less than 1 month
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
14th January 2019. Expires 13th January 2022
What the ISO/IEC 27001 doesn’t cover
This is in scope:
FCO Services Global Digital Technology including infrastructure, development, operations and support for Secure Managed and hosted IT Services holding information up to "OFFICIAL" tier of the UK Government's classification scheme in accordance with statement of Applicability dated 27 July 2018.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • Cyber Essentials Plus
  • ISO 20000
  • ISO 9001
  • ISO 9001

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
FCO Services products and operational support and
management are designed with security in mind with
consideration and alignment with the National Cyber Security
Centre (NCSC) 'Cloud Security Principles' - in addition to
alignment with the ITIL framework and compliance with the
following ISO Standards:- * 27001 (Information Security
Management) * Cyber Essentials Plus * 20000 (Service
Management System) * 9001 (Quality Management) * 22301
(Business Continuity Management) FCO Services ISO
accreditation is independently verified, annually, by an external
assessor, and also manages the UK National Authority for
Counter Eavesdropping (UK NACE) - who have more than 65
years of experience in detecting and protecting against
technical espionage and attacks

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
The FCO Services Configuration Management System (CMS) is used to manage and control the components comprising products and services being supported – recorded within the FCO Services ITSM Configuration Management database (CMDB). Utilisation of a standardised data model of technical and non-technical components, the Configuration Items (CI’S)
are managed in a consistent controlled manner aiding the evaluation ofimpacts and risks during the Change Management process. From a customer perspective, the standard offering within the FCO Services CMS will hold detail on the services operationally managed and supported with the associated CI’s.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
FCO Services vulnerability management approach is aligned to meet the Information Assurance requirements expected by all HMG organisations as well as international standards for information Security management (e.g. Cabinet Office Security Policy Framework, ISO/IEC 27001:203).
This ensures that both internal and client systems managed by FCO Services are subject to standard procedures for the identification of vulnerabilities as well as the safe and timely installation of patches with maximum permitted timescales. Patches are prioritised dependent upon categorisation of systems under FCO Services management responsibility with vulnerabilities systematically assessed and remediated on timescales ranging from immediate to 4 weeks.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
FCO Services protective monitoring encompasses security, availability and resilience with options available for customer specific requirements and solutions that can be delivered on a 24x7x365 basis - with incidents classified as Major incidents KPI metrics based on responses within 30 minutes. Any agreed targets are supported using FCO Services ISO 2000 accredited processes which take an integrated approach to Event, Incident, Problem and Change Management - with FCO Services Major
Incident and Service Performance Management practices delivering further detail to customers in the event of issues encountered over an agreed reporting period.
Incident management type
Supplier-defined controls
Incident management approach
FCO Services’ Global Support Centre acts as the single point of contact for all interactions, incidents and service requests from the customer, with the service capable of delivering operational support and management on a 24x7x365 basis. The primary objective for incident management is the use of structured incident management activities to identify and resolve
service quality issues within service level targets agreed during initial customer engagement. The GSC can support multiple contact methods which include direct interaction with the customer end-user or desk-desk interaction which triages calls before allocation to FCO Services.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
Connected networks
Public Services Network (PSN)


£5.68 a user a month
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at FCOServices-SPGTenders@fco.gov.uk. Tell them what format you need. It will help if you say what assistive technology you use.